```html
<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Nginx用户认证访问控制指南 | 技术小馆</title>
    <link href="https://cdn.staticfile.org/font-awesome/6.4.0/css/all.min.css" rel="stylesheet">
    <link href="https://cdn.staticfile.org/tailwindcss/2.2.19/tailwind.min.css" rel="stylesheet">
    <link href="https://fonts.googleapis.com/css2?family=Noto+Serif+SC:wght@400;500;600;700&family=Noto+Sans+SC:wght@300;400;500;700&display=swap" rel="stylesheet">
    <script src="https://cdn.jsdelivr.net/npm/mermaid@latest/dist/mermaid.min.js"></script>
    <style>
        body {
            font-family: 'Noto Sans SC', Tahoma, Arial, Roboto, "Droid Sans", "Helvetica Neue", "Droid Sans Fallback", "Heiti SC", "Hiragino Sans GB", Simsun, sans-serif;
            color: #333;
            line-height: 1.6;
        }
        .hero {
            background: linear-gradient(135deg, #1e3c72 0%, #2a5298 100%);
        }
        .section-title {
            position: relative;
            padding-left: 2rem;
        }
        .section-title:before {
            content: '';
            position: absolute;
            left: 0;
            top: 0.5em;
            height: 1.5em;
            width: 0.5rem;
            background: #3b82f6;
            border-radius: 0.25rem;
        }
        .code-block {
            background: #f8fafc;
            border-left: 4px solid #3b82f6;
            transition: all 0.3s ease;
        }
        .code-block:hover {
            background: #f1f5f9;
            box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1), 0 2px 4px -1px rgba(0, 0, 0, 0.06);
        }
        .card:hover {
            transform: translateY(-5px);
            box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04);
        }
        .footer-link:hover {
            color: #93c5fd;
        }
        .auth-flow {
            background: linear-gradient(135deg, #f5f7fa 0%, #e4e8f0 100%);
            border-radius: 0.75rem;
        }
    </style>
</head>
<body class="bg-gray-50">
    <!-- Hero Section -->
    <section class="hero text-white py-20 px-4 sm:px-6 lg:px-8">
        <div class="max-w-4xl mx-auto text-center">
            <div class="inline-block bg-blue-600/20 backdrop-blur-sm px-4 py-2 rounded-full mb-6">
                <span class="text-blue-200 text-sm font-medium"><i class="fas fa-lock mr-2"></i>安全认证</span>
            </div>
            <h1 class="text-4xl md:text-5xl font-bold mb-6 leading-tight">Nginx用户认证访问控制指南</h1>
            <p class="text-xl text-blue-100 max-w-2xl mx-auto">深入解析HTTP基本认证、OAuth/JWT集成及IP访问控制的最佳实践</p>
            <div class="mt-10">
                <a href="#basic-auth" class="inline-flex items-center px-6 py-3 bg-white text-blue-700 font-medium rounded-lg hover:bg-blue-50 transition duration-300 mr-4">
                    <i class="fas fa-key mr-2"></i> 基本认证
                </a>
                <a href="#advanced-auth" class="inline-flex items-center px-6 py-3 bg-blue-700/30 text-white font-medium rounded-lg hover:bg-blue-700/40 transition duration-300">
                    <i class="fas fa-shield-alt mr-2"></i> 高级认证
                </a>
            </div>
        </div>
    </section>

    <!-- Main Content -->
    <div class="max-w-6xl mx-auto px-4 sm:px-6 lg:px-8 py-12">
        <div class="flex flex-col lg:flex-row gap-8">
            <!-- Main Article -->
            <article class="lg:w-2/3">
                <!-- Introduction -->
                <section class="mb-16">
                    <p class="text-lg text-gray-700 mb-6">在Nginx中实现基于用户认证的访问控制主要涉及配置HTTP基本认证或基于其他身份验证机制的访问控制。本文将详细介绍各种认证方式的配置方法和最佳实践。</p>
                    
                    <div class="bg-blue-50 border-l-4 border-blue-400 p-4 mb-8 rounded">
                        <div class="flex">
                            <div class="flex-shrink-0">
                                <i class="fas fa-info-circle text-blue-500 text-xl mt-1"></i>
                            </div>
                            <div class="ml-3">
                                <h3 class="text-sm font-medium text-blue-800">关键概念</h3>
                                <div class="mt-2 text-sm text-blue-700">
                                    <p>认证(Authentication)是验证用户身份的过程，授权(Authorization)是确定用户权限的过程。Nginx提供了多种方式来实现这两者。</p>
                                </div>
                            </div>
                        </div>
                    </div>
                </section>

                <!-- Basic Auth Section -->
                <section id="basic-auth" class="mb-16">
                    <h2 class="section-title text-2xl font-bold mb-6 text-gray-800">1. HTTP 基本认证</h2>
                    <p class="mb-6">HTTP基本认证是一种最简单的认证机制，它通过用户名和密码来保护受限资源。</p>
                    
                    <div class="flex flex-col md:flex-row gap-6 mb-10">
                        <div class="md:w-1/2">
                            <h3 class="text-xl font-semibold mb-4 text-gray-700 flex items-center">
                                <i class="fas fa-file-alt mr-2 text-blue-500"></i> 1.1 创建密码文件
                            </h3>
                            <p class="mb-4">首先，需要创建一个包含用户名和加密密码的文件。可以使用 <code class="bg-gray-100 px-1 py-0.5 rounded">htpasswd</code> 工具来生成该文件。</p>
                            
                            <div class="code-block p-4 rounded-lg mb-6">
                                <div class="flex items-center text-gray-500 text-sm mb-2">
                                    <i class="fas fa-terminal mr-2"></i>
                                    <span>安装 htpasswd 工具</span>
                                </div>
                                <pre class="text-gray-800 overflow-x-auto"><code>sudo apt-get install apache2-utils  # Debian/Ubuntu
sudo yum install httpd-tools        # CentOS/RHEL</code></pre>
                            </div>
                            
                            <div class="code-block p-4 rounded-lg">
                                <div class="flex items-center text-gray-500 text-sm mb-2">
                                    <i class="fas fa-terminal mr-2"></i>
                                    <span>创建密码文件</span>
                                </div>
                                <pre class="text-gray-800 overflow-x-auto"><code>htpasswd -c /etc/nginx/.htpasswd username</code></pre>
                            </div>
                            <p class="mt-3 text-sm text-gray-600"><code class="bg-gray-100 px-1 py-0.5 rounded">-c</code> 选项用于创建新文件。如果文件已经存在，省略 <code class="bg-gray-100 px-1 py-0.5 rounded">-c</code> 选项来添加新用户。</p>
                        </div>
                        
                        <div class="md:w-1/2">
                            <h3 class="text-xl font-semibold mb-4 text-gray-700 flex items-center">
                                <i class="fas fa-cog mr-2 text-blue-500"></i> 1.2 配置 Nginx 进行基本认证
                            </h3>
                            <p class="mb-4">在Nginx配置文件中，添加以下配置来启用基本认证。</p>
                            
                            <div class="code-block p-4 rounded-lg">
                                <div class="flex items-center text-gray-500 text-sm mb-2">
                                    <i class="fas fa-code mr-2"></i>
                                    <span>Nginx 配置</span>
                                </div>
                                <pre class="text-gray-800 overflow-x-auto"><code>server {
    listen 80;
    server_name demo.com;

    location /secure/ {
        auth_basic "Restricted Area";          # 提示消息
        auth_basic_user_file /etc/nginx/.htpasswd;  # 密码文件路径

        # 其他配置
        proxy_pass http://backend;
    }
}</code></pre>
                            </div>
                            
                            <div class="mt-4 p-4 bg-yellow-50 border-l-4 border-yellow-400 rounded">
                                <div class="flex">
                                    <div class="flex-shrink-0">
                                        <i class="fas fa-exclamation-triangle text-yellow-500 mt-1"></i>
                                    </div>
                                    <div class="ml-3">
                                        <h3 class="text-sm font-medium text-yellow-800">安全提示</h3>
                                        <div class="mt-2 text-sm text-yellow-700">
                                            <p>基本认证会以Base64编码方式传输凭证，建议始终与HTTPS一起使用以避免凭据被窃听。</p>
                                        </div>
                                    </div>
                                </div>
                            </div>
                        </div>
                    </div>
                </section>

                <!-- Advanced Auth Section -->
                <section id="advanced-auth" class="mb-16">
                    <h2 class="section-title text-2xl font-bold mb-6 text-gray-800">2. 基于 OAuth 或 JWT 的认证</h2>
                    <p class="mb-6">对于更复杂的认证机制，如OAuth2或JWT（JSON Web Token），需要使用第三方模块或结合Nginx与认证服务。</p>
                    
                    <div class="grid grid-cols-1 md:grid-cols-2 gap-6 mb-8">
                        <div class="card bg-white p-6 rounded-xl shadow-md transition duration-300">
                            <h3 class="text-xl font-semibold mb-4 text-gray-700 flex items-center">
                                <i class="fas fa-project-diagram mr-2 text-purple-500"></i> 2.1 使用Nginx认证模块
                            </h3>
                            <p class="mb-4">Nginx本身不直接支持OAuth或JWT，但可以通过第三方模块或与认证代理集成来实现。</p>
                            
                            <div class="code-block p-4 rounded-lg mb-4">
                                <div class="flex items-center text-gray-500 text-sm mb-2">
                                    <i class="fas fa-code mr-2"></i>
                                    <span>nginx-auth-request 模块配置</span>
                                </div>
                                <pre class="text-gray-800 overflow-x-auto"><code>server {
    listen 80;
    server_name demo.com;

    location / {
        auth_request /auth;  # 认证请求位置

        # 认证失败时的处理
        error_page 401 = /error401;
        proxy_pass http://backend;
    }

    location = /auth {
        proxy_pass http://auth-server;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}</code></pre>
                            </div>
                        </div>
                        
                        <div class="card bg-white p-6 rounded-xl shadow-md transition duration-300">
                            <h3 class="text-xl font-semibold mb-4 text-gray-700 flex items-center">
                                <i class="fas fa-plus-circle mr-2 text-green-500"></i> 2.2 使用Nginx Plus
                            </h3>
                            <p class="mb-4">Nginx Plus提供了内置的访问控制和身份验证功能，可以直接集成OAuth2和其他身份验证方案。</p>
                            <div class="flex items-center justify-center h-32">
                                <div class="text-center">
                                    <i class="fas fa-crown text-yellow-400 text-4xl mb-2"></i>
                                    <p class="text-gray-600">Nginx Plus提供企业级认证功能</p>
                                </div>
                            </div>
                        </div>
                    </div>
                    
                    <!-- Authentication Flow Diagram -->
                    <div class="auth-flow p-6 mb-8">
                        <h3 class="text-xl font-semibold mb-4 text-gray-700 flex items-center">
                            <i class="fas fa-random mr-2 text-blue-500"></i> OAuth认证流程
                        </h3>
                        <div class="mermaid">
                            sequenceDiagram
                                participant User
                                participant Nginx
                                participant AuthServer
                                participant Backend
                                User->>Nginx: 访问受保护资源
                                Nginx->>AuthServer: 转发认证请求
                                AuthServer-->>Nginx: 认证结果
                                alt 认证成功
                                    Nginx->>Backend: 转发请求
                                    Backend-->>Nginx: 返回资源
                                    Nginx-->>User: 返回资源
                                else 认证失败
                                    Nginx-->>User: 返回401/403
                                end
                        </div>
                    </div>
                </section>

                <!-- IP Whitelist Section -->
                <section class="mb-16">
                    <h2 class="section-title text-2xl font-bold mb-6 text-gray-800">3. 配置IP白名单和黑名单</h2>
                    <p class="mb-6">除了基本认证，还可以配置IP白名单和黑名单，以限制访问。</p>
                    
                    <div class="code-block p-4 rounded-lg mb-6">
                        <div class="flex items-center text-gray-500 text-sm mb-2">
                            <i class="fas fa-code mr-2"></i>
                            <span>IP访问控制配置</span>
                        </div>
                        <pre class="text-gray-800 overflow-x-auto"><code>server {
    listen 80;
    server_name demo.com;

    location / {
        # 允许指定IP地址访问
        allow 192.168.1.0/24;
        deny all;  # 拒绝所有其他IP地址
    }
}</code></pre>
                    </div>
                    
                    <div class="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
                        <div class="bg-green-50 p-4 rounded-lg border border-green-200">
                            <h4 class="font-medium text-green-800 mb-2 flex items-center">
                                <i class="fas fa-check-circle mr-2 text-green-500"></i> 允许规则
                            </h4>
                            <p class="text-sm text-green-700"><code class="bg-green-100 px-1 py-0.5 rounded">allow</code>: 指定允许访问的IP地址或网段</p>
                        </div>
                        <div class="bg-red-50 p-4 rounded-lg border border-red-200">
                            <h4 class="font-medium text-red-800 mb-2 flex items-center">
                                <i class="fas fa-times-circle mr-2 text-red-500"></i> 拒绝规则
                            </h4>
                            <p class="text-sm text-red-700"><code class="bg-red-100 px-1 py-0.5 rounded">deny</code>: 拒绝所有其他IP地址</p>
                        </div>
                    </div>
                </section>

                <!-- Configuration & Optimization -->
                <section class="mb-16">
                    <h2 class="section-title text-2xl font-bold mb-6 text-gray-800">4. 配置和优化</h2>
                    
                    <div class="grid grid-cols-1 md:grid-cols-2 gap-6">
                        <div class="card bg-white p-6 rounded-xl shadow-md transition duration-300">
                            <h3 class="text-xl font-semibold mb-4 text-gray-700 flex items-center">
                                <i class="fas fa-lock mr-2 text-blue-500"></i> 4.1 配置HTTPS
                            </h3>
                            <p class="mb-4">为了提高安全性，建议在启用认证的同时使用HTTPS。配置SSL/TLS以加密传输数据。</p>
                            
                            <div class="code-block p-4 rounded-lg">
                                <div class="flex items-center text-gray-500 text-sm mb-2">
                                    <i class="fas fa-code mr-2"></i>
                                    <span>HTTPS配置</span>
                                </div>
                                <pre class="text-gray-800 overflow-x-auto"><code>server {
    listen 443 ssl;
    server_name demo.com;

    ssl_certificate /etc/nginx/ssl/demo.com.crt;
    ssl_certificate_key /etc/nginx/ssl/demo.com.key;

    location /secure/ {
        auth_basic "Restricted Area";
        auth_basic_user_file /etc/nginx/.htpasswd;
        proxy_pass http://backend;
    }
}</code></pre>
                            </div>
                        </div>
                        
                        <div class="card bg-white p-6 rounded-xl shadow-md transition duration-300">
                            <h3 class="text-xl font-semibold mb-4 text-gray-700 flex items-center">
                                <i class="fas fa-sync-alt mr-2 text-blue-500"></i> 4.2 定期更新密码
                            </h3>
                            <p class="mb-4">确保定期更新密码文件中的密码，以维持系统的安全性。</p>
                            
                            <div class="flex items-center justify-center h-32">
                                <div class="text-center">
                                    <i class="fas fa-calendar-alt text-blue-400 text-4xl mb-2"></i>
                                    <p class="text-gray-600">建议每90天更新一次密码</p>
                                </div>
                            </div>
                        </div>
                    </div>
                </section>
            </article>
            
            <!-- Sidebar -->
            <aside class="lg:w-1/3">
                <div class="sticky top-6">
                    <!-- Table of Contents -->
                    <div class="bg-white p-6 rounded-xl shadow-md mb-6">
                        <h3 class="text-lg font-semibold mb-4 text-gray-800 flex items-center">
                            <i class="fas fa-list-ul mr-2 text-blue-500"></i> 目录
                        </h3>
                        <nav>
                            <ul class="space-y-2">
                                <li><a href="#basic-auth" class="text-blue-600 hover:text-blue-800 hover:underline transition duration-150">1. HTTP 基本认证</a></li>
                                <li class="ml-4"><a href="#basic-auth" class="text-gray-600 hover:text-blue-600 hover:underline transition duration-150">1.1 创建密码文件</a></li>
                                <li class="ml-4"><a href="#basic-auth" class="text-gray-600 hover:text-blue-600 hover:underline transition duration-150">1.2 配置Nginx</a></li>
                                <li><a href="#advanced-auth" class="text-blue-600 hover:text-blue-800 hover:underline transition duration-150">2. 基于OAuth或JWT的认证</a></li>
                                <li><a href="#ip-whitelist" class="text-blue-600 hover:text-blue-800 hover:underline transition duration-150">3. IP白名单和黑名单</a></li>
                                <li><a href="#optimization" class="text-blue-600 hover:text-blue-800 hover:underline transition duration-150">4. 配置和优化</a></li>
                            </ul>
                        </nav>
                    </div>
                    
                    <!-- Key Points -->
                    <div class="bg-white p-6 rounded-xl shadow-md">
                        <h3 class="text-lg font-semibold mb-4 text-gray-800 flex items-center">
                            <i class="fas fa-key mr-2 text-blue-500"></i> 关键要点
                        </h3>
                        <ul class="space-y-3">
                            <li class="flex items-start">
                                <i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
                                <span>基本认证适用于简单的保护场景</span>
                            </li>
                            <li class="flex items-start">
                                <i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
                                <span>OAuth/JWT适合分布式系统认证</span>
                            </li>
                            <li class="flex items-start">
                                <i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
                                <span>IP限制提供额外的安全层</span>
                            </li>
                            <li class="flex items-start">
                                <i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
                                <span>始终结合HTTPS使用认证</span>
                            </li>
                            <li class="flex items-start">
                                <i class="fas fa-check-circle text-green-500 mt-1 mr-2"></i>
                                <span>定期审计和更新安全配置</span>
                            </li>
                        </ul>
                    </div>
                </div>
            </aside>
        </div>
    </div>

    <!-- Footer -->
    <footer class="bg-gray-900 text-gray-300 py-8">
        <div class="max-w-6xl mx-auto px-4 sm:px-6 lg:px-8">
            <div class="flex flex-col md:flex-row justify-between items-center">
                <div class="mb-4 md:mb-0">
                    <h3 class="text-xl font-medium text-white mb-2">技术小馆</h3>
                    <p class="text-sm">专业的技术知识与最佳实践分享</p>
                </div>
                <div>
                    <a href="http://www.yuque.com/jtostring" class="footer-link text-blue-300 hover:text-blue-100 transition duration-150">
                        <i class="fas fa-external-link-alt mr-1"></i> 访问技术小馆
                    </a>
                </div>
            </div>
            <div class="mt-8 pt-8 border-t border-gray-800 text-sm text-center text-gray-400">
                &copy; 2023 技术小馆. 保留所有权利.
            </div>
        </div>
    </footer>

    <script>
        mermaid.initialize({
            startOnLoad: true,
            theme: 'default',
            flowchart: {
                useMaxWidth: true,
                htmlLabels: true,
                curve: 'basis'
            }
        });
        
        // Smooth scrolling for anchor links
        document.querySelectorAll('a[href^="#"]').forEach(anchor => {
            anchor.addEventListener('click', function (e) {
                e.preventDefault();
                document.querySelector(this.getAttribute('href')).scrollIntoView({
                    behavior: 'smooth'
                });
            });
        });
    </script>
</body>
</html>
```